Template Injection Workshop: Twig, Jinja, Freemaker and more

Welcome to this 2-hour workshop on Template Injection. Template injection, also known as Server-Side Template Injection (SSTI), is a vulnerability class that has emerged in 2015. The 2015 Black Hat talk from James Kettle established the foundations for the exploitation techniques in multiple template engines. The exploitation of this type of issue will require specific knowledge of the template library or the language being used under the hood.

The workshop is divided in six labs and an introduction. First, there will be an introduction to the vulnerability. This segment is needed to get a good understanding of the attack patterns to recognize potential vulnerabilities.
Then we will investigate five different template engines with unique twists. Each template engine will have an exercise which consists of a web application with a template engine being exposed.

Chapters:
0:00 : Title screen
0:05 : Introduction
6:25 : Twig
9:02 : Demonstration for Twig
15:42 : Jinja2
26:20 : Demonstration for Jinja2
32:19 : Tornado
33:36 : Demonstration for Tornado
36:17 : Velocity
41:53 : Demonstration for Velocity
45:07 : Freemarker part 1
49:28 : First demonstration for Freemarker
51:53 : Freemarker part 2 (Sandbox escape)
1:03:28 : Second demonstration for Freemarker
1:07:15 : Conclusion